The IMA TCB policy is dangerous. A normal use can use all of a system'smemory (which cannot be freed) simply by building and running lots ofexecutables. The TCB policy is also nearly useless because logging in as rootoften causes a policy violation when dealing with utmp, thus rendering themeasurements meaningless.

There is no good fix for this in the kernel. A full TCB policy would need tobe loaded in userspace using LSM rule matching to get both a protected anduseful system. But, if too little is measured before userspace can load a realpolicy one again ends up with a meaningless set of measurements. One optionwould be to put the policy load inside the initrd in order to get it earlyenough in the boot sequence to be useful, but this runs into trouble with theLSM. For IMA to measure the LSM policy and the LSM policy loading mechanismit needs rules to do so, but we already talked about problems with defaultingto such broad rules....

IMA also depends on the files being measured to be on an FS which implementsand supports i_version. Since the only FS with this support (ext4) doesn'teven use it by default it seems silly to have any IMA rules by default.

This should reduce the performance overhead of IMA to near 0 while stillletting users who choose to configure their machine as such to inclue theima_tcb kernel paramenter and get measurements during boot before they canload a customized, reasonable policy in userspace.

+ ima_tcb [IMA]+ Load a policy which meets the needs of the Trusted+ Computing Base. This means IMA will measure all+ programs exec'd, files mmap'd for exec, and all files+ opened for read by uid=0.+ in2000= [HW,SCSI] See header of drivers/scsi/in2000.c.